epeeler Check the cli command "show high-availability all" to make sure there is no mismatch. If the cli look ok then probably you can try restarting the management server "debug software restart management-server " and this is not service impacting byt will kill you ssh/web session and you have to log in again in few min
... View more

jprovine If your FW is not able to retrieve these AD groups, "Setup => User Identification => Group Mapping" then I would recommend to check mp-log useridd.log to see if there is any errors or group being denied. Amjad
... View more

From the logs it looks like it was completed sucessfully 2015-05-19 14:30:15.945 +0200 Update URL was completed for passive peer. For the packet capture, becauee you are using the default service route using the mgmt interface, then you need to do this fro cli, please check this document for more details: https://live.paloaltonetworks.com/docs/DOC-4595
... View more

howardtopher If static routes doesn't work for you, then redistribution between dynamic routing protocols is the next best option. I guess there is no way to prevent briding between virtual routers because you need to advertise default routes into the inside of these VRs. Any host inside one of these VRs, will send traffic using the default route, and if the destination exists in another VR it will go there. You need to control the traffic using security rules. So I guess it doesn't matter if you distribute BGP into OSPF or not, unless you have a big BGP routing table, but if not than this should not make any difference. Amjad
... View more

David This will depends on how your firewall learns the IP-User mapping, for example if you use UIA, I don't expect this will happen because the agent is fast enough to learn the information from AD, and also the Windows OS takes some time to load all services and startup programs when the user log in (I guess at least 10 seconds) before the user is able to open an internet browser. But if you use other methods for example GP client, I guess yea because GP will take some time to connect and firewall to learn the mapping Amjad
... View more

Hello David Please check this Packet Flow in PAN-OS a captive portal rule lookup is checked to see if the packet is subject to captive portal authentication. If captive portal is applicable, the packet is redirected to the captive portal daemon This is done prior to security policy lookup. Hope this answered your question. Amjad
... View more

I believe what you are seeing is expected, basically ::/0 means anything even though there is :: in the beginning. You can verify this by running the command on cli "show running security-policy", and you will see this address is translated to "any". If you want to use this in security rule, I would recommend to be create a special rule only for IPv6, so IPv4 traffic doesnt hit it. Amjad
... View more

KC Tunnel mode will establish IPSEC/SSL tunnel between the gateway and the client, this is usually used with External Gateways, but for internal gateways usually they don't use tunnel mode and it is used for userid and hip check. Also, for tunnel mode an extra header will be added to the packet You can use the external gateway, just make sure the interface is your inside interface (LAN) which is accessible by the users Let me know if you have any more questions
... View more

Gregoux auto cost reference is used in Cisco to manage the cost of ospf links, as you know Cisco has default cost value for each interface based on its speed (1000/100/10) or if it is 10/100 Gig, this option is not available in PAN, in PAN whenever you add an interface to OSPF area, the default metric is set to 10. Hopefully that helped Amjad
... View more

Marcin Can you paste the output of these two commands when this issue happens? Also check on the client side to make sure the tunnel is still up: - show user ip-user-mapping-mp all type GP - show global-protect-gateway current-user user marcin Amjad
... View more